SBS 2003 and Server 2008 shared folder privileges?

Posted on 2010-11-24
Medium Priority
Last Modified: 2012-05-10
Hi All,

We currently have 3 different sites which are interlinked via a VPN.  The main site is running on SBS 2003, and the other 2 are running on server 2008.  All users have access to 3 shared folders through the network, but these are all top level folders.  Meaning that all users can view everything on each shared folder.  Some folders such as the admin folder is set up for a few users and denies access to the rest.

My question is, what is the best practice to set these folders up to make sure that certain users only can view what they require?  Should I set up a separate shared folder for each are? I.e, accounts, sales, quotations etc?  Create user groups and just add the higher privileged users there?  Is it bad the way these folders are currently set up?

Any help would be appreciated.
Question by:choy77
  • 4
  • 2

Expert Comment

ID: 34206244
there are many ways to do this and it's based on your persona preference.  But the extent to which you create different shares should be based on how large you expect the restricted resource to be.

You definitely should create multiple security groups - accounting, admin, sales, etc.  Add members to groups as appropriate.  

For accounting, make a whole new share.  But then if there's one folder within accounting that's super private, you wouldn't make a whole new share.  Just restrict permissions to a group based on that.  For example, if there was a folder that contained salary information that regular accountants and only the CFO and CEO should see, don't make a whole new share - just create a new security group that only contains the CFO and CEO and protect that folder.  

I generally follow that theory - large folder hierarchies get their own share and drive letter.  Tiny folder hierarchies just get restricted by security group.  Medium folder hierarchies - your call.

Author Comment

ID: 34206718
Ok, that makes sense, thanks for the information.  So, say I create a new security group for users I only want to be able to access the accounts folder, how do I go about denying access to the folder for every other user?  Or even hiding the folder so people cannot view it?  Are you aware of a lot of companies that operate this way with having shared folder like this?  Or is this living dangerously?


Author Comment

ID: 34206757
On another note, is there a prefix in which new security groups should be given? Or a way in which they should be named?

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 34206869
And how can I stop users from deleting folders which they have note created, and put certain users in a group who will be able to delete folders/files etc?

Expert Comment

by:Arvis Holland
ID: 34207503
You can go to that top level folder properties, security.  Click the advanced button, edit button, select a user or group, click edit.  Now there is a drop down that probably says "This folder, subfolders, and files".  You can change the Everyone permission here to this folder only.  This allows users and groups to view the subfolders, but you can individually assign permissions to those folders now without an inherited permission from the root folder.  

Remember that the deny permission always overides allow permissions.

Accepted Solution

dmessman earned 2000 total points
ID: 34229936
To stop users from accessing or deleting folders they don't have access to, don't give them access.  You shouldn't really need to set deny permissions.

Let's say you have an accounting folder with subfolders of A, B, and C.  You want all accountants to access A and B, but only a group of accountants called CFO to access C.  

Create a share called accounting.  

For the accounting share, give the accountants group full control to the accounting share and all subfolders (as described above by sivra).

Now, go to folder C.  Edit the security group permissions and remove accountants group.  Add the CFO group.  Apply to that folder and all subfolders.  Now, acocuntants won't be able to access that folder.  There is no deny permission - but no allow permission, so only members of the CFO group will be able to access it.


Author Closing Comment

ID: 34360731
Thanks for your help

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
Disk errors can be the source of sundry problems for the Exchange server, the most common one being that the database fails to mount.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question